The HttpBasic authentication provider is currently enabled for every single page request in the critical performance path. The functionality won't be needed on many Drupal sites, so this should only be added if it gets enabled explicitly by the site administrator.
I see 2 approaches:
* move it to a separate module that can be enabled
* add a configuration file that specifies which authentication providers are enabled (you could even disable session cookie authentication with that)